package org.elasticsearch.xpack.core.security;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.CharBuffer;
import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.elasticsearch.common.CheckedSupplier;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.common.io.Streams;
import org.elasticsearch.common.network.InetAddresses;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.ssl.SslConfiguration;
import org.elasticsearch.common.transport.PortsRange;
import org.elasticsearch.core.CharArrays;
import org.elasticsearch.core.CheckedFunction;
import org.elasticsearch.core.CheckedRunnable;
import org.elasticsearch.core.Releasable;
import org.elasticsearch.core.Releasables;
import org.elasticsearch.core.SuppressForbidden;
import org.elasticsearch.env.Environment;
import org.elasticsearch.http.HttpTransportSettings;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.common.notifications.AbstractAuditor;
import org.elasticsearch.xpack.core.common.socket.SocketAccess;
import org.elasticsearch.xpack.core.ml.inference.results.ErrorInferenceResults;
import org.elasticsearch.xpack.core.security.HttpResponse;
import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.core.ssl.SSLService;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/CommandLineHttpClient.class */
public class CommandLineHttpClient {
    private static final int READ_TIMEOUT = 35000;
    private final Environment env;
    private final String pinnedCaCertFingerprint;

    public CommandLineHttpClient(Environment environment) {
        this.env = environment;
        this.pinnedCaCertFingerprint = null;
    }

    public CommandLineHttpClient(Environment environment, String str) {
        this.env = environment;
        this.pinnedCaCertFingerprint = str;
    }

    public HttpResponse execute(String str, URL url, String str2, SecureString secureString, CheckedSupplier<String, Exception> checkedSupplier, CheckedFunction<InputStream, HttpResponse.HttpResponseBuilder, Exception> checkedFunction) throws Exception {
        return execute(str, url, UsernamePasswordToken.basicAuthHeaderValue(str2, secureString), checkedSupplier, checkedFunction);
    }

    public HttpResponse execute(String str, URL url, SecureString secureString, CheckedSupplier<String, Exception> checkedSupplier, CheckedFunction<InputStream, HttpResponse.HttpResponseBuilder, Exception> checkedFunction) throws Exception {
        return execute(str, url, apiKeyHeaderValue(secureString), checkedSupplier, checkedFunction);
    }

    @SuppressForbidden(reason = "We call connect in doPrivileged and provide SocketPermission")
    private HttpResponse execute(String str, URL url, String str2, CheckedSupplier<String, Exception> checkedSupplier, CheckedFunction<InputStream, HttpResponse.HttpResponseBuilder, Exception> checkedFunction) throws Exception {
        HttpURLConnection httpURLConnection;
        HttpResponse.HttpResponseBuilder httpResponseBuilder;
        InputStream inputStream;
        if ("https".equalsIgnoreCase(url.getProtocol())) {
            SSLService sSLService = new SSLService(this.env);
            HttpsURLConnection httpsURLConnection = (HttpsURLConnection) url.openConnection();
            AccessController.doPrivileged(() -> {
                if (this.pinnedCaCertFingerprint != null) {
                    SSLContext sSLContext = SSLContext.getInstance("TLS");
                    sSLContext.init(null, new TrustManager[]{fingerprintTrustingTrustManager(this.pinnedCaCertFingerprint)}, null);
                    httpsURLConnection.setSSLSocketFactory(sSLContext.getSocketFactory());
                    return null;
                }
                SslConfiguration httpTransportSSLConfiguration = sSLService.getHttpTransportSSLConfiguration();
                httpsURLConnection.setSSLSocketFactory(sSLService.sslSocketFactory(httpTransportSSLConfiguration));
                if (httpTransportSSLConfiguration.verificationMode().isHostnameVerificationEnabled()) {
                    return null;
                }
                httpsURLConnection.setHostnameVerifier((str3, sSLSession) -> {
                    return true;
                });
                return null;
            });
            httpURLConnection = httpsURLConnection;
        } else {
            httpURLConnection = (HttpURLConnection) url.openConnection();
        }
        httpURLConnection.setRequestMethod(str);
        httpURLConnection.setReadTimeout(READ_TIMEOUT);
        httpURLConnection.setRequestProperty(UsernamePasswordToken.BASIC_AUTH_HEADER, str2);
        httpURLConnection.setRequestProperty("Content-Type", XContentType.JSON.mediaType());
        String str3 = (String) checkedSupplier.get();
        httpURLConnection.setDoOutput(str3 != null);
        HttpURLConnection httpURLConnection2 = httpURLConnection;
        Objects.requireNonNull(httpURLConnection2);
        SocketAccess.doPrivileged((CheckedRunnable<IOException>) httpURLConnection2::connect);
        if (str3 != null) {
            try {
                OutputStream outputStream = httpURLConnection.getOutputStream();
                try {
                    outputStream.write(str3.getBytes(StandardCharsets.UTF_8));
                    if (outputStream != null) {
                        outputStream.close();
                    }
                } finally {
                }
            } catch (Exception e) {
                HttpURLConnection httpURLConnection3 = httpURLConnection;
                Objects.requireNonNull(httpURLConnection3);
                Releasables.closeWhileHandlingException(new Releasable[]{httpURLConnection3::disconnect});
                throw e;
            }
        }
        int responseCode = httpURLConnection.getResponseCode();
        try {
            try {
                inputStream = httpURLConnection.getInputStream();
            } catch (Throwable th) {
                HttpURLConnection httpURLConnection4 = httpURLConnection;
                Objects.requireNonNull(httpURLConnection4);
                Releasables.closeWhileHandlingException(new Releasable[]{httpURLConnection4::disconnect});
                throw th;
            }
        } catch (IOException e2) {
            InputStream errorStream = httpURLConnection.getErrorStream();
            try {
                httpResponseBuilder = (HttpResponse.HttpResponseBuilder) checkedFunction.apply(errorStream);
                if (errorStream != null) {
                    errorStream.close();
                }
                HttpURLConnection httpURLConnection5 = httpURLConnection;
                Objects.requireNonNull(httpURLConnection5);
                Releasables.closeWhileHandlingException(new Releasable[]{httpURLConnection5::disconnect});
            } finally {
            }
        }
        try {
            httpResponseBuilder = (HttpResponse.HttpResponseBuilder) checkedFunction.apply(inputStream);
            if (inputStream != null) {
                inputStream.close();
            }
            HttpURLConnection httpURLConnection6 = httpURLConnection;
            Objects.requireNonNull(httpURLConnection6);
            Releasables.closeWhileHandlingException(new Releasable[]{httpURLConnection6::disconnect});
            httpResponseBuilder.withHttpStatus(responseCode);
            return httpResponseBuilder.build();
        } catch (Throwable th2) {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (Throwable th3) {
                    th2.addSuppressed(th3);
                }
            }
            throw th2;
        }
    }

    public String getDefaultURL() {
        Settings settings = this.env.settings();
        String str = ((Boolean) XPackSettings.HTTP_SSL_ENABLED.get(settings)).booleanValue() ? "https" : "http";
        List list = (List) HttpTransportSettings.SETTING_HTTP_PUBLISH_HOST.get(settings);
        if (list.isEmpty()) {
            list = (List) NetworkService.GLOBAL_NETWORK_PUBLISH_HOST_SETTING.get(settings);
        }
        try {
            InetAddress resolvePublishHostAddresses = new NetworkService(Collections.emptyList()).resolvePublishHostAddresses((String[]) list.toArray(Strings.EMPTY_ARRAY));
            int intValue = ((Integer) HttpTransportSettings.SETTING_HTTP_PUBLISH_PORT.get(settings)).intValue();
            if (intValue <= 0) {
                int[] ports = ((PortsRange) HttpTransportSettings.SETTING_HTTP_PORT.get(settings)).ports();
                if (ports.length > 0) {
                    intValue = ports[0];
                }
                if (intValue <= 0) {
                    throw new IllegalStateException("unable to determine http port from settings");
                }
            }
            return str + "://" + InetAddresses.toUriString(resolvePublishHostAddresses) + ":" + intValue;
        } catch (Exception e) {
            throw new IllegalStateException("unable to determine default URL from settings, please use the -u option to explicitly provide the url", e);
        }
    }

    public static String getErrorCause(HttpResponse httpResponse) {
        Object obj = httpResponse.getResponseBody().get(ErrorInferenceResults.NAME);
        if (obj == null) {
            return null;
        }
        if (!(obj instanceof Map)) {
            return obj.toString();
        }
        Object obj2 = ((Map) obj).get("reason");
        if (obj2 != null) {
            return obj2.toString();
        }
        Object obj3 = ((Map) obj).get("root_cause");
        if (obj3 != null && (obj3 instanceof Map)) {
            Object obj4 = ((Map) obj3).get("reason");
            if (obj4 != null) {
                return obj4.toString();
            }
            Object obj5 = ((Map) obj3).get("type");
            if (obj5 != null) {
                return (String) obj5;
            }
        }
        return String.valueOf(((Map) obj).get("type"));
    }

    public void checkClusterHealthWithRetriesWaitingForCluster(String str, SecureString secureString, int i) throws Exception {
        try {
            HttpResponse execute = execute("GET", createURL(new URL(getDefaultURL()), "_cluster/health", "?wait_for_status=yellow&pretty"), str, secureString, () -> {
                return null;
            }, CommandLineHttpClient::responseBuilder);
            int httpStatus = execute.getHttpStatus();
            if (httpStatus == 200) {
                String objects = Objects.toString(execute.getResponseBody().get("status"), AbstractAuditor.All_RESOURCES_ID);
                if (objects.isEmpty()) {
                    throw new IllegalStateException("Failed to determine the health of the cluster. Cluster health API did not return a status value.");
                }
                if ("red".equalsIgnoreCase(objects)) {
                    throw new IllegalStateException("Failed to determine the health of the cluster. Cluster health is currently RED.");
                }
                return;
            }
            if (httpStatus == 503) {
                throw new IllegalStateException("Failed to determine the health of the cluster. Unexpected http status [" + httpStatus + "]");
            }
            if (i <= 0) {
                throw new IllegalStateException("Failed to determine the health of the cluster. Unexpected http status [" + httpStatus + "]");
            }
            Thread.sleep(1000L);
            checkClusterHealthWithRetriesWaitingForCluster(str, secureString, i - 1);
        } catch (Exception e) {
            if (i <= 0) {
                throw new IllegalStateException("Failed to determine the health of the cluster.", e);
            }
            Thread.sleep(1000L);
            checkClusterHealthWithRetriesWaitingForCluster(str, secureString, i - 1);
        }
    }

    public static HttpResponse.HttpResponseBuilder responseBuilder(InputStream inputStream) throws IOException {
        HttpResponse.HttpResponseBuilder httpResponseBuilder = new HttpResponse.HttpResponseBuilder();
        httpResponseBuilder.withResponseBody(Streams.readFully(inputStream).utf8ToString());
        return httpResponseBuilder;
    }

    public static URL createURL(URL url, String str, String str2) throws MalformedURLException, URISyntaxException {
        return new URL(url, (url.toURI().getPath() + str).replaceAll("//+", "/") + str2);
    }

    public static String apiKeyHeaderValue(SecureString secureString) {
        CharBuffer allocate = CharBuffer.allocate(secureString.length());
        byte[] bArr = null;
        try {
            allocate.put(secureString.getChars());
            bArr = CharArrays.toUtf8Bytes(allocate.array());
            String str = "ApiKey " + Base64.getEncoder().encodeToString(bArr);
            Arrays.fill(allocate.array(), (char) 0);
            if (bArr != null) {
                Arrays.fill(bArr, (byte) 0);
            }
            return str;
        } catch (Throwable th) {
            Arrays.fill(allocate.array(), (char) 0);
            if (bArr != null) {
                Arrays.fill(bArr, (byte) 0);
            }
            throw th;
        }
    }

    private static TrustManager fingerprintTrustingTrustManager(final String str) {
        return new X509TrustManager() { // from class: org.elasticsearch.xpack.core.security.CommandLineHttpClient.1
            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str2) throws CertificateException {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str2) throws CertificateException {
                if (x509CertificateArr.length < 2) {
                    throw new CertificateException("CA certificate not in chain, or self-signed certificate");
                }
                X509Certificate x509Certificate = x509CertificateArr[1];
                MessageDigest sha256 = MessageDigests.sha256();
                sha256.update(x509Certificate.getEncoded());
                if (!MessageDigests.toHexString(sha256.digest()).equals(str)) {
                    throw new CertificateException();
                }
            }

            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }
        };
    }
}
